What are the least privileges required for a user to perform creates, deletes, modifications, backup, and recovery for an Amazon RDS DB instance?
I want to limit the access that I give my AWS Identity and Access Management (IAM) users to an Amazon Relational Database Service (Amazon RDS) DB instance. How can I grant IAM users the least privileges required to perform a specific action for an Amazon RDS DB instance?
Resolution
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
1. Open the IAM console, and then choose Users from the navigation pane.
2. Choose Add user, and then enter a User name.
3. For Access type, choose AWS Management Console access, and then create a password for using the Amazon RDS console. To provide access to the AWS Command Line Interface (AWS CLI), choose Programmatic access.
Important: For Programmatic access, be sure to download the access key ID and the secret access key by choosing Download.csv. You need the keys to create the security tokens later.
4. Review the permissions and tags, and then choose Create user. This creates an IAM user with the IAMUserChangePassword policy.
5. Create IAM policies for the actions that you want to perform in Amazon RDS.
6. Return to the IAM console, and then choose Users from the navigation pane.
7. Choose the IAM user that you created.
8. From the Permissions tab, choose Add inline policy.
9. Choose the JSON tab, and then enter one or more of the following policies based on your use case.
Note: The following policies provide the least privileges required to perform the specified actions. You might see errors (such as IAMUser is not authorized to perform: rds:Action) in the Amazon RDS console because this privilege isn't present in the policy. Most often, this error occurs for Describe actions. The error is expected, and it doesn't affect your ability to perform those actions. To avoid this error, you can modify the following example IAM policies, or you can perform actions by using the AWS CLI.
Creating and deleting RDS DB instances
The following policy allows users to create RDS DB instances without encryption activated:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVpcAttribute", "ec2:DescribeSecurityGroups", "ec2:DescribeInternetGateways", "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeSubnets", "rds:Describe*", "rds:ListTagsForResource", "rds:CreateDBInstance", "rds:CreateDBSubnetGroup" ], "Resource": "*" } ] }
The following policy allows users to create RDS DB instances with encryption activated:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVpcAttribute", "ec2:DescribeSecurityGroups", "ec2:DescribeInternetGateways", "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeSubnets", "rds:Describe*", "rds:ListTagsForResource", "rds:CreateDBInstance", "rds:CreateDBSubnetGroup", "kms:ListAliases" ], "Resource": "*" } ] }
Note: To use a customer managed key for encryption instead of the default AWS managed key, you must authorize the use of a customer managed key.
The following policy allows users to delete RDS DB instances:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:DeleteDBInstance", "rds:DescribeDBInstances" ], "Resource": "*" } ] }
The following policy allows users to create and delete RDS DB instances:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVpcAttribute", "ec2:DescribeSecurityGroups", "ec2:DescribeInternetGateways", "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeSubnets", "rds:Describe*", "rds:ListTagsForResource", "rds:CreateDBInstance", "rds:CreateDBSubnetGroup", "rds:DeleteDBInstance" ], "Resource": "*" } ] }
Stopping and starting RDS DB instances
The following policy allows users to stop and start RDS DB instances:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:StopDBInstance", "rds:StartDBInstance", "rds:Describe*" ], "Resource": "*" } ] }
Performing backup and recovery (creating DB snapshots, restoring DB instance from DB snapshots, and point in time restore)
The following policy allows users to create DB snapshots:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:Describe*", "rds:CreateDBSnapshot" ], "Resource": "*" } ] }
The following policy allows users to restore RDS DB instances using DB snapshots:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:Describe*", "rds:Describe*", "rds:RestoreDBInstanceFromDBSnapshot" ], "Resource": "*" } ] }
The following policy allows users to perform point in time recovery:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:Describe*", "rds:Describe*", "rds:RestoreDBInstanceToPointInTime" ], "Resource": "*" } ] }
Modifying RDS DB instances
The following policy allows users to change DB instance class type, allocated storage, storage type, and instance version:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:Describe*", "rds:Describe*", "rds:ModifyDBInstance" ], "Resource": "*" } ] }
Activating Enhanced Monitoring and Performance Insights
The following policy allows users to activate Enhanced Monitoring. Be sure to replace AccountID with each account that is receiving the enhanced monitoring role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRoles", "rds:ModifyDBInstance", "rds:Describe*", "ec2:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::AccountID:role/rds-monitoring-role" } ] }
Note: When used with an iam:PassRole, a wildcard (*) is overly permissive because it allows iam:PassRole permissions on all resources. Therefore, it's a best practice to specify the Amazon Resource Names (ARNs), as shown in the example earlier.
The following policy allows users to activate Performance Insights:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:ModifyDBInstance", "ec2:Describe*", "rds:Describe*", "pi:*" ], "Resource": "*" } ] }
Creating, modifying, and deleting DB parameter groups and DB option groups
The following policy allows users to create, modify, or delete DB parameter groups and option groups:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:Describe*", "rds:Describe*", "rds:CreateDBParameterGroup", "rds:ModifyDBParameterGroup", "rds:DeleteDBParameterGroup", "rds:CreateOptionGroup", "rds:ModifyOptionGroup", "rds:DeleteOptionGroup" ], "Resource": "*" } ] }
Viewing Amazon CloudWatch metrics from the Amazon RDS console
The following policy allows users to view CloudWatch metrics from the Amazon RDS console:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:Describe*", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics" ], "Resource": "*" } ] }
10. Choose Review policy.
11. Enter a Name for your policy, and then choose Create policy.
Related information
Identity and access management for Amazon RDS
How do I allow users to authenticate to an Amazon RDS MySQL DB instance using their IAM credentials?
Relevant content
- asked 4 months ago
- Accepted Answerasked 4 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
